Apologies if this question seems foolish - I am a little out of my depth trying to track down some apparent malware that MalwareBytes, Bitdefender Total Security and other virus scans don't catch. . My DNS cache shows that something on my laptop is connecting to undesirable websites, so is there a way I can use Wireshark to identify what program (etc.) is responsible. If I sit and wait long enough, I can see the connections appearing on Wireshark, but I don't see anything informative in the packet description (example below from the first in the series).
I have tried NetStat -o to see processes associated with active connections, but none of the foreign addresses it shows are the ones I am looking for. (Maybe I was too slow and didn't catch it?) So, how can I see what is invoking the unwanted connection?
Thanks.
Frame 92580: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface \Device\NPF_{6F74599A-5AAF-47B5-9D65-43FDB69A7A36}, id 0
Section number: 1
Interface id: 0 (\Device\NPF_{6F74599A-5AAF-47B5-9D65-43FDB69A7A36})
Interface name: \Device\NPF_{6F74599A-5AAF-47B5-9D65-43FDB69A7A36}
Interface description: WiFi
Encapsulation type: Ethernet (1)
Arrival Time: Mar 3, 2025 14:42:13.335529000 Eastern Standard Time
UTC Arrival Time: Mar 3, 2025 19:42:13.335529000 UTC
Epoch Arrival Time: 1741030933.335529000
[Time shift for this packet: 0.000000000 seconds]
[Time delta from previous captured frame: 0.000834000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 872.571328000 seconds]
Frame Number: 92580
Frame Length: 66 bytes (528 bits)
Capture Length: 66 bytes (528 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
[Coloring Rule Name: TCP SYN/FIN]
[Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Intel_75:ea:90 (04:d3:b0:75:ea:90), Dst: TpLinkTechno_95:7a:a4 (d8:07:b6:95:7a:a4)
Destination: TpLinkTechno_95:7a:a4 (d8:07:b6:95:7a:a4)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Intel_75:ea:90 (04:d3:b0:75:ea:90)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
[Stream index: 1]
Internet Protocol Version 4, Src: 192.168.68.119, Dst: 104.18.22.107
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 52
Identification: 0x1d13 (7443)
010. .... = Flags: 0x2, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
...0 0000 0000 0000 = Fragment Offset: 0
Time to Live: 128
Protocol: TCP (6)
Header Checksum: 0x5a14 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.68.119
Destination Address: 104.18.22.107
[Stream index: 15]
Transmission Control Protocol, Src Port: 52631, Dst Port: 443, Seq: 0, Len: 0
Source Port: 52631
Destination Port: 443
[Stream index: 1]
[Stream Packet Number: 1]
[Conversation completeness: Complete, WITH_DATA (31)]
..0. .... = RST: Absent
...1 .... = FIN: Present
.... 1... = Data: Present
.... .1.. = ACK: Present
.... ..1. = SYN-ACK: Present
.... ...1 = SYN: Present
[Completeness Flags: ·FDASS]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 2378963573
[Next Sequence Number: 1 (relative sequence number)]
Acknowledgment Number: 0
Acknowledgment number (raw): 0
1000 .... = Header Length: 32 bytes (8)
Flags: 0x002 (SYN)
000. .... .... = Reserved: Not set
...0 .... .... = Accurate ECN: Not set
.... 0... .... = Congestion Window Reduced: Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...0 .... = Acknowledgment: Not set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish request (SYN): server port 443]
[Connection establish request (SYN): server port 443]
[Severity level: Chat]
[Group: Sequence]
.... .... ...0 = Fin: Not set
[TCP Flags: ··········S·]
Window: 64240
[Calculated window size: 64240]
Checksum: 0x78ee [unverified]
[Checksum Status: Unverified]
Urgent Pointer: 0
Options: (12 bytes), Maximum segment size, No-Operation (NOP), Window scale, No-Operation (NOP), No-Operation (NOP), SACK permitted
TCP Option - Maximum segment size: 1460 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1460
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - Window scale: 8 (multiply by 256)
Kind: Window Scale (3)
Length: 3
Shift count: 8
[Multiplier: 256]
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - No-Operation (NOP)
Kind: No-Operation (1)
TCP Option - SACK permitted
Kind: SACK Permitted (4)
Length: 2
[Timestamps]
[Time since first frame in this TCP stream: 0.000000000 seconds]
[Time since previous frame in this TCP stream: 0.000000000 seconds]
